I do not believe you will get RACF SMF and console messages for this type of probing. It is my understanding that TSO performs a RACROUTE REQUEST=EXTRACT to obtain the data to fill in the various fields in the logon panel. When retrieving or replacing fields, the RACF manual explicitly states:
"*Logging* of RACROUTE REQUEST*=*EXTRACT invocations is not done except indirectly. *Logging* can occur during field access checking if the RACROUTE REQUEST=AUTH request exit requests it." Therefore I do not believe any logging would be performed. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Mon, Jan 5, 2015 at 10:18 AM, Joel Ewing <jcew...@acm.org> wrote: > On 01/05/2015 09:35 AM, Paul Gilmartin wrote: > > On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: > > > >>> For TSO, you can probe for known user ids, but you will see a lot of > LOGON and IEA989I message in the SYSLOG. > >> > >> Only if you set a specific SLIP trap for this condition. > >> > > In the video cited: > > > >> On Jan 2, 2015, at 3:31 PM, Mark Regan wrote: > >>> > >>> Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, by a > >>> Philip Young and it's about an hour long. > >>> > >>> http://youtu.be/uL65zWrofvk > > > > ... the speaker opined that such probing is less likely to be detected by > > Security than by Operations as a spike in CPU usage. > > > > -- gil > > > RACF uses SMF and console messages to record logon/authentication > failures. These could be intercepted in real time to alert someone of > unusual probing while it is occurring. We used independent review of > daily summary reports generated from RACF SMF records to verify that > such probing had not occurred, just the typical typos and forgotten > passwords from terminals within the corporation. With our normal system > workload, someone would have been more likely to notice a flood of > unusual console messages than see any noticeable impact on CPU. > > -- > Joel C. Ewing, Bentonville, AR jcew...@acm.org > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN